≡ Menu

Ubuntu Linux install and configure OpenSSH (SSHD) server

I am totally impressed with new Ubuntu Linux server. Default installation did not install any single service :)

This gives pretty good control over box. Following command returned nothing:
$ sudo netstat -tulpn

However sshd is bare minimum these days and it should be installed by default.

To install openssh server type following command:
$ sudo apt-get install openssh-server

Make sure openssh is running:
$ netstat -tulpnOutput:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp6       0      0 :::22                   :::*                    LISTEN     3458/sshd

Now we will tight openssh security. First change default 22 port to something else like 512. This will avoid automated tools login into your box:
$ sudo su -
# vi /etc/ssh/sshd_config

Find line that read as follows:
Port 22
Replace port 22 with 512:
Port 512
Save and close the file. Restart sshd:
# /etc/init.d/ssh restartOutput:

 * Restarting OpenBSD Secure Shell server... 

Finally make sure you open port 512 using iptables. Type the following command to list current firewall rules:
$ sudo iptables -L -n
Output:

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpts:6881:6882 
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0           udp dpt:514 
ACCEPT     all  --  192.168.1.100        0.0.0.0/0           
ACCEPT     all  --  192.168.1.101        0.0.0.0/0           
ACCEPT     all  --  192.168.1.102        0.0.0.0/0           
LOG        all  --  0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Use GUI program such as firestarter to manage and open port 22 (ssh port).
$ sudo firestarter &

Updated for accuracy.

Share this on:

Your support makes a big difference:
I have a small favor to ask. More people are reading the nixCraft. Many of you block advertising which is your right, and advertising revenues are not sufficient to cover my operating costs. So you can see why I need to ask for your help. The nixCraft, takes a lot of my time and hard work to produce. If you use nixCraft, who likes it, helps me with donations:
Become a Supporter →    Make a contribution via Paypal/Bitcoin →   

Don't Miss Any Linux and Unix Tips

Get nixCraft in your inbox. It's free:



{ 25 comments… add one }
  • alex November 9, 2006, 2:19 pm

    short but to the point and of use!

  • rich November 12, 2006, 11:30 am

    shouldn’t package name be openssh-server, hyphen is in wrong place?

  • nixCraft November 12, 2006, 12:29 pm

    Rich,

    Thanks for heads up! Article is updated!!!

  • Gabe November 30, 2006, 9:01 pm

    Hey! This ie exactly what I was looking for. Thanks so much!

  • neon January 31, 2007, 7:49 am

    Well it seems to match. However SSH still isn’t working.

  • nixCraft February 1, 2007, 10:01 pm

    neon.

    What error you are getting?

  • Cappy February 15, 2007, 12:56 am

    Hm … I can SSH into my server when the port is set to 22 but as soon as I set it up to a high number (30,000) and restart the ssh server all I get are server rejections. ssh -p 30000 cappy@127.0.0.1 just won’t work =(

  • nixCraft February 15, 2007, 4:17 am

    Make sure firewall is not blocking your port 30000. Run following command to see current iptables.
    sudo iptables -L -n
    OR
    iptables -L -n

    Also /etc/hosts.allow and /etc/hosts.deny can block access.

  • Fulano February 27, 2007, 7:38 am

    I followed the instructions and I seem to be going alright, I can ssh locally as another user but I cannot seem to log in from remote locations, just seems to time out. Any ideas?

  • Cappy February 27, 2007, 9:12 am

    The problem was that I ran “/etc/init.d/ssh restart” as a user and not as an admin. It ended up giving a bunch of RSA errors and somehow prevented the system from switching ports when I then ran it from root. A simple reboot fixed it. Thanks for the guide!

  • xain March 29, 2007, 2:05 pm

    what is the point that after changing port from 22 to 512, but still to make sure iptables open port 22?

  • nixCraft March 30, 2007, 3:20 am

    xain,

    It was typo and post has been updated. Thanks for heads up.

  • Markku April 1, 2007, 8:42 pm

    I cant get it to work. When i try to run openssh-server it just says fail.

  • sungmin June 17, 2007, 8:09 pm

    what is difference with login in with login and password and with PUB key ? also what if I have 10 users who needs to login to my Linux box, what is best way for them to login ? with login and password or with PUB KEYS ?

  • brandon October 29, 2007, 3:40 am

    I can ssh from ubuntu to osX, but not from osX to ubuntu. I had the same situation where I could go from winXP to osX, but not the other way. Since it works ubuntu to osX does that mean I need to switch the dsa keys around, or do they work but ways? So, it seems like the problem must be in ubuntu’s firewall or the router’s portforwarding. When I setup portforwarding I feel like I should open port 22 for the mac’sip if i want to get into the mac. Strangely that doesn’t work, but when I open port 22 for 192.168.0.1 (the router’s ip) then I can ssh into the mac. I want to have SAMBA and VNC forwarded over ssh. I want the ubuntu to be headless but then I want to open VLC on the mac and watch a movie from the ubuntu. Once long ago I was able to get VNC to work both ways with a mac and a win2k machine. I don’t know what I’m doing wrong.

  • loh March 22, 2008, 3:05 pm

    First time installing ubuntu 7.10. This was very helpful.

  • El Perro Loco January 2, 2009, 2:44 pm

    Good article. Short, complete and to the point.
    Thanks.

  • ssh_user April 7, 2009, 8:51 pm

    Ubuntu 8.10 64 bits, no firewall active.
    After changing ssh listning port from 22 to 2223, connecting fails, see dump below
    Can somebody explain what can cause a ‘Read from socket failed: Connection reset by peer’. The question is in several forums, couldn’t find answers yet.

    dump:

    jaap@jaap-laptop:~$ ssh -p 2223 jaap@localhost -vvv
    OpenSSH_5.1p1 Debian-3ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to localhost [127.0.0.1] port 2223.
    debug1: Connection established.
    debug1: identity file /home/jaap/.ssh/identity type -1
    debug1: identity file /home/jaap/.ssh/id_rsa type -1
    debug1: identity file /home/jaap/.ssh/id_dsa type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-3ubuntu1
    debug1: match: OpenSSH_5.1p1 Debian-3ubuntu1 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-3ubuntu1
    debug2: fd 3 setting O_NONBLOCK
    debug1: SSH2_MSG_KEXINIT sent
    Read from socket failed: Connection reset by peer
  • Japan Shah July 6, 2009, 5:15 am

    Thanks it works !!!

  • I can't see to get this working January 28, 2010, 10:28 am

    Hi,
    I try installing Ubuntu Server 8.10, and i tell u, installation when just fine. I get stuck on the part where u need to configure /etc/network/interfaces, that, because i need the server to have a static IP. I have ADSL connection, and IP’s r assing by the modem/router (Thompson SpeedTouch). IP’s r configure as “start 10.0.0.34 – end 10.0.0.134” “sbnetmask 255.255.255.0” that’s in the modem/router, and obvious it gives me the router IP number. Now, if i want to assing a static IP to the server it should be some like “10.0.0.3” SM “255.255.255.0” and what is Broadcast, Network and some other’s that has to be edited with “VIM”. I mean, im from windows xp, and i want to host my own web page, and mail server, plus some sharing files locally, maybe log-on remotelly… that’s all i want; but this part is killing me. anyone willing to help please? thanks in advanced.

  • Samuel Berryman February 27, 2010, 12:46 pm

    I have just installed Ubuntu 9.10 and it is all working fine! However when I try to install openssh like it tells me to above i get the following error:

    Reading Package Lists… Done
    Building dependency tree
    Reading state information… Done
    package openssh-server is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source
    E: Package openssh-server has no installation candidate

    I dont know why it is doing this and really could do with some help please!

  • Dmitry April 12, 2010, 8:16 am

    I had the same proplem.
    All you need do is to update your system:
    >sudo aptitude update

  • Melroy van den Berg May 21, 2010, 9:33 pm

    You can also try putty, i prefer that more then firestarter.

  • trioggle June 2, 2010, 2:05 am

    Firestarter is a firewall gui, putty is a shell client.

  • hejmiki September 10, 2010, 3:06 pm

    I think there is another TYPO

    correct me if i’m wrong
    You set up Port 22 –> Port 512

    and then in your output of sudo iptables -L -n
    there is no rule for accepting tcp on Port 512 but there is Port 514 (udp)

Leave a Comment